Migrate Cisco ASA configuration, certificates and private keys

Posted on November 4, 2012

1



The fact I wrote this post is to clear what happens with the RSA keys if I move the whole configuration and certificates and their private keys to another firewall with the same IP Address. IF the IP has changed the migration ofthe certificate has not much sense if the certificate is based on IP.
The RSA keys shown with the “show cry key mypubkey rsa” command cannot be just copied to the new system AFAIK. But if you have a certificate and that uses one of your RSA keys, than it can be exported.
For example if you have a configuration:

crypto ca trustpoint MyTrustpoint1
 enrollment terminal
 fqdn 2.2.2.1
 subject-name CN=2.2.2.1
 ip-address 2.2.2.1
 keypair ssl-vpn-keys
 crl configure

It means you have an RSA key with the name ssl-vpn-keys, that you can move to the new system. That is what I post here.

0. Start your tftp server first and make sure you can connect to it :-) (Its funny but the most of the time of such a job is sometimes a stupid troubleshooting with a simple tftp server and for example with a local firewall or HIPS on the tftp server. I cant repeat, why cant we just use linux?!)

1. save the running config to the tftp server

myfirewall01(config)# copy run tftp

2. Export the certificates with privet keys

This will export the security appliance trustpoint configuration with all associated keys and certificates in PKCS12 format

myfirewall01(config)# crypto ca export MyTrustpoint1 pkcs12 MySecretPassword

Keep on eyes on the following files and do not forget the last one:
– ASA image
– ASDM image
– Anyconnect image
– Csd image
– Anyconnect xml profile
– and whatever important file you have on your origin ASA!

3. Customize the interface settings to the new firewall on the exported config file:
The name of the new firewall can be different, like Gigabitethenet or just Ethernet. Maybe you have to skip it, but worth to check. An example is below:

Interface configuration of the original Firewall:

interface GigabitEthernet0/0
 nameif outside-1
 security-level 0
 ip address 2.2.2.1 255.255.255.224 standby 2.2.2.2 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 3.3.3.1 255.255.254.0 standby 3.3.3.2 
!
interface GigabitEthernet0/2
 nameif outside
 security-level 0
 ip address 4.4.4.1 255.255.255.0 standby 4.4.4.2 
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface

Customized Interface configuration of the New (Destination) Firewall:

interface Ethernet0/0
 nameif outside-1
 security-level 0
 ip address 2.2.2.1 255.255.255.224 standby 2.2.2.2 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 3.3.3.1 255.255.254.0 standby 3.3.3.2 
!
interface Ethernet0/2
 nameif outside
 security-level 0
 ip address 4.4.4.1 255.255.255.0 standby 4.4.4.2 
!
interface Ethernet0/3
 description LAN/STATE Failover Interface

4. Install the same OS and ASDM version of the destination firewall first.
So do not forget the following files:
– ASA image
– ASDM image
– Anyconnect image
– Csd image
– Anyconnect xml profile
– and whatever you have on your Origin ASA!

5. Import the certificates with the keys
The “pkcs12” in import command tells the ASA to import a certificate and key pair for a trustpoint, using PKCS12 format.

myfirewall01(config)# crypto ca import MyTrustpoint1 pkcs12 MySecretPassword

Example:

myfirewall01(config)# crypto ca import MyTrustpoint1 pkcs12 MySecretPassword
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
blablabla
-----END PKCS12-----
quit
INFO: Import PKCS12 operation completed successfully

6. Import the customized running configuration to the new firewall and check the warning or error messages.

myfirewall01(config)# copy tftp run

Example:

myfirewall01(config)# copy tftp: running-config

Address or name of remote host []? 3.3.3.3

Source filename []? running-config_mod.txt

Destination filename [running-config]?

Accessing tftp://3.3.3.3/running-config_mod.txt...!!!!!!!
!!!!!!!
.INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
.ERROR: Keypair ssl-vpn-keys doesn't exist.
ERROR: Keypair ssl-vpn-keys doesn't exist.
ERROR: Keypair ASDM_TrustPoint1 doesn't exist.
.Enter the certificate in hexadecimal representation....
Enter the certificate in hexadecimal representation....
..Enter the certificate in hexadecimal representation....
.Enter the certificate in hexadecimal representation....
.Enter the certificate in hexadecimal representation....
.Enter the certificate in hexadecimal representation....
..
tls-proxy maximum-session 1000
                             ^
ERROR: % Invalid input detected at '^' marker.
INFO: If a certificate map is configured ASA will ask all users loading the logon page for a client certificate.
INFO: If a certificate map is configured ASA will ask all users loading the logon page for a client certificate.
..WARNING: Policy map global_policy is already configured as a service policy

Cryptochecksum (changed): 7c5ce3f6 fbcaf0b2 44e5d7f3 1e5dd5d4

25481 bytes copied in 20.370 secs (1274 bytes/sec)

Comment:
Whatever key name you used, after the cry ca export the keys will be renamed to the trustpoint name. Check it with the “sh cry key mypubkey rsa” command on the original system and on the new system.

Advertisement
Tagged: , , , ,
Posted in: ASA, Cisco, Security, VPN